Security Development Lifecyle

An application Security Development Lifecycle (SDL) provides a model for building and releasing robust and secure products. We can build your entire SDL or any component of it, implemented by division or company-wide. Casaba has been selected as one of the few members of the Microsoft SDL Pro Network since it launched in 2010. The SDL Pro Network consists of security consultants, training companies, and tool providers who specialize in application security and training, and who have demonstrated substantial experience in the methodologies and technologies which make up the Microsoft SDL. This relationship with the Microsoft SDL Pro Network fosters our commitment to providing top-quality SDL services to our clients.

SDL programs take time to setup and require continuous management. Their success requires top-down commitment and evangelism. To work well, an SDLC must integrate with the development culture and be emraced for the value added, rather than viewed as an impediment or speed bump in the release schedule. Casaba has experience and expertise setting up and managing SDL programs from soup to nuts. We can design the policy and deploy the SDL implementation, and build out more mature complimentary SDL services such as internal red teams and bug bounty programs. We've been the caretakers responsible for some of the world's largest software vendors, serving as the in-house SDL oversight team, working daily with engineering teams to help them move through each of the SDL phases from design through testing and release, and reporting value metrics to management and stakeholders.

Learn more about our SDL capabilities.

Bug Bounties

If you want to run your own in-house bug bounty program, we can handle the parts from ingesting reports, to triaging bugs with product teams, to handling finder communication. More and more organizations are adopting bug bounty programs as they have proven themselves to be a useful part of today's security program. But it's not as simple as just putting out an email address and waiting for the bugs to come in.

Bounty programs require report management, finding the signal in the noise, and engaging with the finders in a sincere and respectable manner. Following that, there's an element of bug triage required, involving reproducing and identifying duplicates, as well as assessing the security impact, for which industry standards like CVSS provide a consistent communication tool.

Bounties don't end there though, you need to work with engineers to understand and mitigate the issue, and finally justify and award and payment for the original finder, all the while keeping in close contact with them.

Continuous Penetration Testing

Penetration testing means different things to different people. If you need continual pen testing of a number of products and services, or third-pary vendor products, we have you covered, from setting up an initial program structure to executing and delivering results to key stakeholders.

We've helped stand up central red team programs that reach across a company's divisions. In this role we take on the responsibility of scoping the Rules of Engagement within the company, to setup a penetration testing program that can operate continually and without bottleneck, providing useful feedback to both the engineering and operations teams. Penetration testing in this capacity serves multiple functions. In the traditional sense it finds bugs in both software and operational infrastructure that need to be addressed. And in today's complex environments where everything is assumed hostile, it simulates real-world attacks, testing the defensive and monitoring capabilities of your company, and keeping your operations' staff on their toes.

Security Planning and Design

Before you start investing precious time and resources in building your product, leverage our experience to make sure it incorporates the latest in security design. Our experts will review your plans and identify opportunities to prevent exposure to existing and emerging security threats.

Casaba works closely with in-house design and development teams to ensure the right balance of security every step of the way.

Through threat modeling we will work closely with you to identify issues even as early as the conceptual phase. Having this knowledge enables you to design a robust product that expects to be attacked but is ready to withstand the onslaught.

Security isn't a one-time deal, there are numerous moving parts to consider and prepare for, from Authentication, Authorization, State tracking, Cryptography, DoS resistance, Disaster Recovery, Monitoring, Logging, Repudiation, Intrusion Detection and more

Internet of Things

Casaba has been selected as a trusted security partner by Microsoft, to provide world-class security expertise to companies building or deploying IoT technology.

Our processes combine years of experience in application, device, and hardware experience across consumer and enterprise products. Casaba combines this experience with deep knowledge of the Azure IoT stack, Microsoft's suite of cloud-based internet of things services.

To read more about Casaba's partnership with Microsoft, visit Microsoft's security blog.

Application Security Testing

Applications need to have their assumptions and defenses tested. We use our security expertise to find vulnerabilities, assess impact, and estimate the extent of potential damages. While it is often expensive to fix issues discovered at this point in a project’s life-cycle, it is better to know now before the problems are exploited by someone else.

Although an automated scanner can expose certain vulnerabilities, there is no substitute for a comprehensive assessment of your product’s security by a group of Class-A experts engaged closely with your team.

For the most effective use of time, we recommend a source-assisted pen-test. White box and black box approaches both have their merits, but by combining the two into a “gray box” approach, we leverage information from the code to improve testing and pinpoint critical pieces of the code for thorough review. This method saves time while identifying the highest number of design and code-level bugs.

Casaba has deep experience reviewing the security of complex systems and providing guidance to plan for and protect against the latest attacks and threats. We're flexible enough to work through the early stages of a v1 product, or join in the later stage development of a more mature product.

Reverse Engineering

How long would it take an attacker to reverse engineer your product and compromise the protections it relies upon? How strong are your anti-debugging measures? Do you have an obfuscation layer capable of frustrating an experienced reverse engineering effort? If you've taken the time to implement anti-reversing protections, you probably have a serious interest in security. Let Casaba validate whether your protections work as expected, or expose and isolate any weaknesses using these and other proven methodologies.